Apple Must Forever Threat Model Against Itself

Apple, like most advanced tech companies, understands threats and how to close them off. But one salient point that’s emerged from its ongoing dispute with the FBI over unlocking the San Bernardino shooter’s phone is that Apple is a threat to itself. Therefore, it should be no surprise that Apple engineers are already reportedly working on iPhone security updates that take into account Apple as part of its threat model.

Meanwhile, the war of words between Apple and the FBI escalated again last night when CEO Tim Cook appeared on ABC News and likened the government’s request to write new firmware that would bypass existing security on the device as “the software equivalent of cancer.” Cook reiterated that Apple’s defiant stance is about fending off the precedent that meeting such a demand would create. The government would have at its disposal a mechanism for similarly unlocking devices in perpetuity not just for national security cases, but also for lesser-profile criminal cases. This is largely because Apple currently has the ability to update firmware without the need for the user to enter their passcode onto the phone.

Jonathan Zdziarski, a noted iOS forensics expert, told Threatpost that he expects Apple to close this off in short order, as well as shore up the Secure Enclave, which protects newer versions of the iPhone by brokering access to encryption keys for services on the device that require encryption. He believes Apple’s threat model will include itself going forward.

“They probably will shore up Secure Enclave so that it doesn’t accept new firmware without being unlocked first. Minor tweaks to Secure Enclave should be enough to keep Apple out without going to extreme efforts to break in,” Zdziarski said. “Once you get past being able to write and sign your own firmware, you have to get in with electron microscopes and look at the fuse array where the Device ID encryption is based. You have to get to deep logic levels to the point where you’re messing with silicon.”

Zdziarski wrote a post to his personal website on Wednesday describing 13 iOS security improvements Apple should consider, among those would be a modification to the DFU, or Device Firmware Upgrade, that it’s destructive and drops the encryption keys before loading an image unless the phone has been unlocked by the user. He also advocates that Apple encrypt backup data sent to iCloud with keys derived from the user’s alphanumeric backup password.

“The iPhone (6) today, I think is reasonably secure the way it is. The only reason we are having this conversation at all is that the subject was lax enough in their security practices to use a weak passcode,” Zdziarski said in reference to suspect Syed Farook, whose four-digit numeric code guards the data on the iPhone 5c coveted by the FBI. Zdziarski points out that a six-character alphanumeric passcode would take years to crack with a modern computer, and an 11-character code more than 100 years. “This is the classic encryption problem. The strength of the password is still going to determine the strength of the security on the device. Even if the FBI got Apple to remove all the security features from the device today, the key derivation alone will render that encryption infeasible to break if they had used a good passcode.”

The FBI hopes to crack the device in order to learn whether Farood had any other contacts or information that could be useful in this investigation or others related to national security and terrorism. Last week, a federal magistrate ordered Apple to assist the FBI by writing new firmware that would bypass security features such as the introduction of a significant and escalating time lag between incorrect guesses of the passcode, as well as the wiping of the device after 10 incorrect tries. The FBI hopes to compel Apple to write new firmware that would also allow them to use a computer to generate guesses and brute-force the device. While the FBI and the court insists this is a one-time request, Apple attorney Marc Zwillinger two days ago unsealed a document sent to the court that revealed a dozen similar requests made to Apple by the government in cases of varying severity. Apple has objected to 10 of those requests—made since October—and is awaiting more documentation in two other requests.

“We think it’s bad news to write (the new firmware). We would never write it. We have never written it,” Cook said, acknowledging the complexity and emotions involved. “It is about the future. Think about this: If a court compels Apple to write this piece of software, to place a backdoor in the iPhone, we believe it does put hundreds of millions of customers at risk.”

Zdziarski said he believes Apple would bring this to the Supreme Court if need be, and that Congress should intervene at some point given that the American people have not been represented in this debate to date.

“This is high profile enough that at some point, the heat of it all this is going to back the FBI off this, or it will get taken as high up as it can go and we’ll see some kind of decision based on that,” he said.

Apple was given five days to respond to the court order, and that runs out tomorrow.

“This is not a position that we would like to be in, it is a very uncomfortable position,” Cook said. “To oppose your government on something doesn’t feel good. And to oppose it on something where we are advocating for civil liberties which they are supposed to protect it is incredibly ironic.”